songtianlun
63cebef027
- Implement remember me checkbox in login form - Update sessions controller to handle remember me logic - Enhance session management to prevent session hijacking - Add tests for remember me functionality This commit introduces a "Remember me" feature that allows users to stay logged in across sessions. It includes updates to the login form, session handling in the controller, and additional tests to ensure the functionality works as expected. The changes also improve security by validating session tokens to prevent session hijacking.
45 lines
987 B
Ruby
45 lines
987 B
Ruby
module SessionsHelper
|
|
def log_in(user)
|
|
session[:user_id] = user.id
|
|
# 防范会话重放攻击
|
|
session[:session_token] = user.session_token
|
|
end
|
|
|
|
def remember(user)
|
|
user.remember
|
|
cookies.permanent.encrypted[:user_id] = user.id
|
|
cookies.permanent[:remember_token] = user.remember_token
|
|
end
|
|
|
|
def current_user
|
|
if (user_id = session[:user_id])
|
|
user = User.find_by(id: user_id)
|
|
if user && session[:session_token] == user.session_token
|
|
@current_user = user
|
|
end
|
|
elsif (user_id = cookies.encrypted[:user_id])
|
|
user = User.find_by(id: user_id)
|
|
if user && user.authenticated?(cookies[:remember_token])
|
|
log_in user
|
|
@current_user = user
|
|
end
|
|
end
|
|
end
|
|
|
|
def logged_in?
|
|
!current_user.nil?
|
|
end
|
|
|
|
def forget(user)
|
|
user.forget
|
|
cookies.delete(:user_id)
|
|
cookies.delete(:remember_token)
|
|
end
|
|
|
|
def log_out
|
|
forget(current_user)
|
|
reset_session
|
|
@current_user = nil
|
|
end
|
|
end
|